DevSecOps: Embracing Automation, Letting Go of Tradition
I am all for traditions like Thanksgiving turkey and Sunday afternoon football, but holding onto traditions in your professional life can be career limiting, especially in technology. One tradition that has a limited lifespan is waterfall-native development and the security practices that go along with it.
According to the newly released 2017 DevSecOps Community Survey, 40% of respondents stated that the maturity of DevOps practices in their organization was improving, while 25% said that it was very mature across the organization or in specific pockets.
In a waterfall-native world, traditional application security approaches are bolted-on late in the lifecycle, performed manually, and can take hours to days to receive feedback. In DevOps-native worlds where SDLC stages shrink to absurdly short windows, old world technologies won’t be able to cross the chasm into this high-velocity realm.
Moving from Inhibitor to Enabler
Close to 60% of the survey respondents view security as an “inhibitor” to DevOps agility, and while 50% of developers know security is important, they don’t have enough time to spend on it. For those of us in security, there is a real opportunity in front of us: “Our brothers and sisters in DevOps are calling on us to innovate.”
The solution is security automation at the speed of DevOps. Successful application security has been defined as increased automation that doesn’t slow down the development and operations process. Imagine a scenario where developers embrace security rather than find ways to work around it.
When the cycle times shrink, it’s time to rethink how we continue to refine and improve application security. As enterprises adopt and enhance DevOps, application security teams should focus on decreasing the amount of time it takes to detect an attack in progress and respond to an identified issue. In a DevOps native world, automation of attack, anomaly, and application security protection at runtime are paramount. Hanging on to traditions is non-essential.
One example of where DevOps and Security are sprinting at the same pace is with runtime application self protection (RASP) and next generation web application firewall (NGWAF) technologies. RASP and NGWAF technologies allow enterprises visibility into application security attacks and data at runtime, giving security, operations, and development teams a chance to improve application security results beyond just increased speed of assessment. By taking the results of runtime security visibility and protection, and then, feeding that information back into all stages of the development cycle, we are able to increase velocity while simultaneously increasing the security of our entire development effort.
Moving Beyond the Traditional WAF
DevOps practitioners will lead the charge to implement new application security technologies that meet these requirements, moving beyond traditional WAF deployments to modern application security technologies that embed into the heart of the application itself. The closer the protection gets to the core of the application, the stronger and more accurate the results. Automation is one of the fundamental keys to DevOps success, and security can’t be overlooked. Automation of application security will democratize security data, breaking down silos between groups while helping the entire organization operate more efficiently.
We can always just stick to tradition. Or we can choose to innovate our application security practices to incorporate learnings from the changes that are occurring around us. It’s pretty clear that innovation is required if we are to properly secure the modern application environment, and that innovation will come in the form of application security automation.
This blog is one of seven in a series providing expert commentary and analysis on the results from the 2017 DevSecOps Community Survey. For access to all of the blogs in this series and the survey report, please visit: http://info.signalsciences.com/devsecops-survey-2017
Signal Sciences is the industry’s first Web Protection Platform (WPP) providing both Next Generation WAF and RASP technologies. Signal Sciences WPP was built in response to our own frustrations of trying to use legacy application security approaches while enabling business initiatives like DevOps, cloud adoption, and CI/CD.
